Merge branch '12420-prevent-projects-from-being-shared-outside-a-gma-group-forking' into 'master'

Resolve "Prevent projects from being shared outside a GMA group" - forking case Closes #12420 See merge request gitlab-org/gitlab!26456

Merge branch '12420-prevent-projects-from-being-shared-outside-a-gma-group-forking' into 'master'
Resolve "Prevent projects from being shared outside a GMA group" - forking case Closes #12420 See merge request gitlab-org/gitlab!26456
de66a69b · Stan Hu · da5370ee · 57636695 · de66a69b · de66a69b
Commit de66a69b authored Mar 09, 2020 by Stan Hu
3 changed files
--- a/ee/app/services/ee/projects/group_links/create_service.rb
+++ b/ee/app/services/ee/projects/group_links/create_service.rb
@@ -8,7 +8,7 @@ module EE
        override :execute
        def execute(group)
-          return error(error_message, 409) unless group_allowed_to_be_shared_with?(group)
+          return error(error_message, 409) unless allowed_to_be_shared_with?(group)
          result = super
@@ -18,10 +18,17 @@ module EE
        private
-        def group_allowed_to_be_shared_with?(group)
+        def allowed_to_be_shared_with?(group)
-          return true unless project.root_ancestor.kind == 'group' && project.root_ancestor.enforced_sso?
+          project_can_be_shared_with_group = project_can_be_shared_with_group?(group, project)
+          source_project_can_be_shared_with_group = project.forked? ? project_can_be_shared_with_group?(group, project.forked_from_project) : true
-          group.root_ancestor == project.root_ancestor
+          project_can_be_shared_with_group && source_project_can_be_shared_with_group
+        end
+        def project_can_be_shared_with_group?(group, given_project)
+          return true unless given_project.root_ancestor.kind == 'group' && given_project.root_ancestor.enforced_sso?
+          group.root_ancestor == given_project.root_ancestor
        end
        def error_message

--- a/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group-forking.yml
+++ b/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group-forking.yml
+---
+title: Restrict inviting outside group to a project forked from a group with enforced SSO
+merge_request: 26456
+author:
+type: changed
--- a/ee/spec/services/projects/group_links/create_service_spec.rb
+++ b/ee/spec/services/projects/group_links/create_service_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 describe Projects::GroupLinks::CreateService, '#execute' do
+  include ProjectForksHelper
  let(:user) { create :user }
  let(:project) { create :project }
  let(:group) { create(:group, visibility_level: 0) }
@@ -40,6 +42,8 @@ describe Projects::GroupLinks::CreateService, '#execute' do
  context 'when project is in sso enforced group' do
    let(:saml_provider) { create(:saml_provider, enforced_sso: true) }
    let(:root_group) { saml_provider.group }
+    let(:identity) { create(:group_saml_identity, saml_provider: saml_provider) }
+    let(:user) { identity.user }
    let(:project) { create(:project, :private, group: root_group) }
    let(:subject) { described_class.new(project, user, opts) }
@@ -82,6 +86,75 @@ describe Projects::GroupLinks::CreateService, '#execute' do
        end
      end
    end
+    context 'when project is forked from group with enforced SSO' do
+      let(:forked_project) { create(:project) }
+      before do
+        root_group.add_developer(user)
+        fork_project(project, user, target_project: forked_project)
+      end
+      context 'when invited group is outside top group' do
+        let(:group_to_invite) { create(:group) }
+        it 'does not add group to project' do
+          expect { described_class.new(forked_project, user, opts).execute(group_to_invite) }.not_to change { forked_project.project_group_links.count }
+        end
+        it 'returns error status and message' do
+          result = described_class.new(forked_project, user, opts).execute(group_to_invite)
+          expect(result[:message]).to eq('This group cannot be invited to a project inside a group with enforced SSO')
+          expect(result[:status]).to eq(:error)
+        end
+      end
+      context 'when invited group is in the top group' do
+        let(:group_to_invite) { create(:group, parent: root_group) }
+        it 'adds group to project' do
+          expect { described_class.new(forked_project, user, opts).execute(group_to_invite) }.to change { forked_project.project_group_links.count }.from(0).to(1)
+          group_link = forked_project.project_group_links.first
+          expect(group_link.group_id).to eq(group_to_invite.id)
+          expect(group_link.project_id).to eq(forked_project.id)
+        end
+      end
+    end
+    context 'when project is forked to group with enforced sso' do
+      let(:source_project) { create(:project) }
+      before do
+        source_project.add_developer(user)
+        fork_project(source_project, user, target_project: project)
+      end
+      context 'when invited group is outside top group' do
+        let(:group_to_invite) { create(:group) }
+        it 'does not add group to project' do
+          expect { subject.execute(group_to_invite) }.not_to change { project.project_group_links.count }
+        end
+      end
+      context 'when invited group is in the top group' do
+        let(:group_to_invite) { create(:group, parent: root_group) }
+        it 'adds group to project' do
+          expect { subject.execute(group_to_invite) }.to change { project.project_group_links.count }.from(0).to(1)
+          group_link = project.project_group_links.first
+          expect(group_link.group_id).to eq(group_to_invite.id)
+          expect(group_link.project_id).to eq(project.id)
+        end
+      end
+    end
  end
  def create_group_link(user, project, group, opts)